Add annotation for image policy webhook fail open. #46264
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-github-robot
added
size/S
| if annotations == nil { | ||
| annotations = make(map[string]string) | ||
| } | ||
| annotations["alpha.image-policy.k8s.io/failed-open"] = "true" |
There was a problem hiding this comment.
put the annotation key constant in api/annotation_key_constants.go with proper documentation
There was a problem hiding this comment.
Done. Building locally, and then pushing.
|
do we also want an annotation when verification succeeds? |
|
use of annotations in auditing may not be very useful since they are mutable after the fact |
|
The annotation's primary function is to catch the event in audit logging. I don't think we want an annotation when it succeeds, because it's just adding noise. |
The initial creation response will still get captured by the audit logs, before anything can change (remove) the annotation. That said, do you think it would be worth extending the validation logic here to apply to arbitrary labels? We could have a standard key prefix that would prevent labels from being removed, e.g. |
| @@ -19,6 +19,10 @@ limitations under the License. | |||
| package api | |||
|
|
|||
| const ( | |||
| // ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy | |||
| // webhook backend fails. | |||
| ImagePolicyFailedOpenKey string = "alpha.image-policy.k8s.io/failed-open" | |||
There was a problem hiding this comment.
You need to copy this to the versioned api too (bleh): https://github.com/kubernetes/kubernetes/blob/master/pkg/api/v1/annotation_key_constants.go
There was a problem hiding this comment.
What does the "alpha" in the name refer to? The annotation isn't driving behavior, it's informational. Also, most existing alpha annotations I can find are using <area>.alpha.kubernetes.io/<name> (see other annotations in this file)
There was a problem hiding this comment.
I based the name off the "filterAnnotations" function in this file. It checks this ".image-policy.k8s.io/"
I'm OK with "image-policy..k8s.io/", but the naming inconsistency sounds like a good thing to fix from alpha > beta.
| if err != nil { | ||
| glog.V(2).Infof("error contacting webhook backend: %s", err) | ||
| if a.defaultAllow { | ||
| annotations := pod.ObjectMeta.GetAnnotations() |
k8s-github-robot
added
size/M
|
@k8s-bot pull-kubernetes-e2e-gce-etcd3 test this |
|
LGTM. I think this should probably have a release-note though, since it's user-visible. Is there any way to test this in the e2e environment? I'm not sure how you'd trigger a webhook error... |
|
Ya, I can e2e test it today. |
|
The annotation is being properly applied when the webhook fails open. apiVersion: v1 I0531 22:43:31.184275 5 admission.go:94] error contacting webhook backend: an error on the server ("unknown") has prevented the request from succeeding |
|
@liggitt anything else on this PR? |
|
Nothing else from me |
|
@k8s-bot pull-kubernetes-e2e-gce-etcd3 test this |
Q-Lee
added
release-note
|
@derekwaynecarr - could I get approval before the code freeze? |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/assign erictune |
|
/approve |
1 similar comment
|
/approve |
davidopp
added
the
approved
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Q-Lee, davidopp, erictune, timstclair The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
Automatic merge from submit-queue (batch tested with PRs 46681, 46786, 46264, 46680, 46805) |
What this PR does / why we need it: there's no good way to audit log if binary verification fails open. Adding an annotation can solve that, and provide a useful tool to audit [non-malicious] containers.
Release note: add the annotation "alpha.image-policy.k8s.io/failed-open=true" to pods created when the image policy webhook fails open.